On 10.08.2017 23:12, g...@gregj.me wrote:
> Ok I think this is onto something. I changed
>
> <LimitExcept MERGE> to <LimitExcept GET> and the commit worked. When I
> removed the LIMITEXCEPT completely it didn't even request my password (and
> failed).
>
> I'll have our tester test it with that tonight if possible.
>
> Thank You!
>
> Question: What *should* be specified?
If you want all access to be authenticated, you do not need a <Limit> or
<LimitExcept> clause; just the "Require valid-user".
You'd use Limit(Except) in order to impose read-only and read-write
distinction in the request level, before mod_authz_svn kicks in. Here's
an example, the config I use at $DAYJOB for httpd 2.4.x:
<RequireAll>
Require valid-user
<Limit HEAD GET OPTIONS PROPFIND REPORT>
<RequireAny>
Require ldap-group cn=dev,ou=group,dc=example,dc=com
Require ldap-group
cn=dev.readonly,ou=group,dc=example,dc=com
# More reader groups here
</RequireAny>
</Limit>
<LimitExcept HEAD GET OPTIONS PROPFIND REPORT>
<RequireAny>
Require ldap-group cn=dev,ou=group,dc=example,dc=com
# More writer groups here
</RequireAny>
</LimitExcept>
</RequireAll>
I have LDAP authentication set up, and group assignments in LDAP to
distinguish between users with only read access and users with
read/write access. Notice how I use Limit and LimitExcept so that the
list of request methods is the same in both clauses, makes it easy to
check the config by eye and I only have to remember what the "read
access" methods are. :)
-- Brane
